security - AVM 360
Security & Deployment

Your Security Requirements. Your Deployment Model.

Every organisation has different security requirements. AVM-360 is the only AV monitoring platform that adapts completely to yours — from fully air-gapped on-premise to full cloud — with the same feature set across all options.

Start Free Trial → Read Deployment Guide
🔒Data sovereignty options
☁️Cloud or on-premise
🛡️Encrypted communication
⚙️Least-privilege access
How Data Flows in AVM-360
🖥️
AV Devices
Crestron, Cisco, Biamp, etc.
📡
Local Collector
NUC or Client VM on your VLAN
🔒 All device communication stays inside your network
Then — depending on your deployment choice:
🏢On-Premise Only
Data never leaves your network
🔀Hybrid
Read-only status pushed to cloud dashboard
☁️Full Cloud
Platform hosted on your cloud or AVM-360 Azure
Our Security Philosophy

We Meet You Where Your Security Posture Is — Not Where It's Convenient for Us

Most monitoring platforms force you to compromise your security requirements to use their product. AVM-360 was architected from day one to adapt to your environment — whether that's a fully air-gapped on-premise deployment, a hybrid cloud model, or a full SaaS setup. The platform is the same. The deployment model is your choice.

3 Deployment Options

Choose the Model That Fits Your Security Requirements

All three models use the same local collector on your VLAN to communicate with AV devices. What changes is where the management platform sits — and who controls it.

1

Full On-Premise Deployment

Client VM or NUC · AVM-360 deploys and configures it · Data never leaves your network
🏢 Maximum Security
🏢 Your Network — Everything Stays Here
📺
Display
🎙️
DSP
🎥
Camera
🖥️
Codec
LOCAL VLAN ONLY
📡
Local Collector
NUC or Windows VM
INTERNAL NETWORK
💻
Your Dashboard
Accessed inside your network
🚫 NO DATA LEAVES YOUR NETWORK — EVER

How It Works

The entire AVM-360 platform — collector, database, and web interface — runs inside your network on a client-provided Windows VM or NUC. AVM-360 deploys and configures it remotely. Once set up, your team manages everything locally. No data ever leaves your network perimeter.

  • Platform hosted on a Windows VM or NUC inside your network
  • AVM-360 handles full remote deployment and configuration
  • AV device data collected locally — never transmitted externally
  • Web dashboard accessed from within your internal network
  • Remote access via TeamViewer or equivalent for ongoing support
  • All data sovereignty requirements met by design
Ideal for
HealthcareGovernmentFinance DefenceRegulated industries
Architecture — On-Premise
🖥️
AV Devices (on VLAN)
Crestron, Cisco, Biamp, Extron, etc.
Local network only
📡
Local Collector (NUC / Windows VM)
Polls devices · Runs local database · Hosts web interface
Internal network only
👤
Your Team's Browser
Dashboard accessed inside your network
🔒 Zero external data transmission · Complete air-gap possible
✓ What we need from you
  • • Windows 10/11 VM or NUC (8GB RAM, 100GB disk)
  • • VM must have access to your AV VLAN
  • • TeamViewer (or equivalent) for our remote deployment
  • • Device IP list, MAC addresses, and credentials
2

Hybrid Deployment

Local collector on your network · Read-only status data pushed to cloud dashboard · Raw device data stays on-site
🔀 Balanced Control
🏢 Your Network
📺
Devices
📡
Collector
NUC / VM
STAYS LOCAL:
Raw device traffic
Credentials & IPs
Network config
STATUS ONLY
🔒 ENCRYPTED
☁️ Cloud
📊
Dashboard
Read-only view
CLOUD RECEIVES:
Online / offline status
Alert notifications
Uptime metrics
CLOUD CONVENIENCE · DEVICE DATA NEVER LEAVES YOUR NETWORK

How It Works

A local collector (NUC or VM) sits on your VLAN and polls AV devices directly. It translates complex, multi-vendor device data into lightweight JSON status packets and pushes only those status summaries to a cloud dashboard. Raw device traffic and credentials never leave your network — only sanitised status updates do.

  • Local collector on your VLAN handles all device communication
  • Only anonymised status data (online/offline, error codes) pushed to cloud
  • Raw device traffic, credentials, and configuration data stays on-premise
  • Cloud dashboard provides read-only visibility for multi-site overview
  • Ideal for organisations wanting cloud convenience without full cloud exposure
  • Outbound ports 443 (HTTPS) and 587 (SMTP) required on the local gateway
Ideal for
Multi-site enterprisesEducation Corporate HQMSPsHospitality
Architecture — Hybrid
🖥️
AV Devices (on VLAN)
All brands, all protocols
Local network only
📡
Local Collector (NUC / VM)
Polls devices · Translates to JSON status packets
Encrypted HTTPS · Status only · No raw data
☁️
Cloud Dashboard (Read-Only)
Status visibility · Alerts · Reporting
🔒 Only status summaries transmitted · No credentials · No raw traffic
→ What travels to the cloud
  • • Device online / offline status
  • • Error codes and alert triggers
  • • Device name and room label (configurable)
  • • Uptime metrics for reporting
✓ What stays on your network
  • • All raw device traffic and packets
  • • Device credentials and authentication
  • • Network topology and IP schema
3

Full Cloud Deployment

Local collector still required on your VLAN · Platform hosted on your cloud infrastructure or AVM-360's Azure environment
☁️ Fastest Setup
🏢 Your Network (Always)
📺
🎙️
🎥
📡
Local Collector
Required on VLAN
🔒 Encrypted
Option A
🏢
Your Cloud Infrastructure
AWS · Azure · GCP
You control the hosting
— OR —
Option B
☁️
AVM-360 Azure
Fully managed · 99.9% SLA
Zero infrastructure overhead
LOCAL COLLECTOR ALWAYS REQUIRED ON YOUR VLAN · PLATFORM HOSTED IN CLOUD

How It Works

A local collector (NUC or VM) still sits on your VLAN to communicate with AV devices — this is always required since AV devices are on your local network. The management platform, database, and web dashboard are hosted in the cloud, either on your own cloud infrastructure (AWS, Azure, GCP) or in AVM-360's managed Azure environment.

  • Local collector on VLAN handles all device communication (always required)
  • Option A: Platform deployed on your own AWS, Azure, or GCP infrastructure
  • Option B: Platform hosted on AVM-360's managed Azure environment — zero infrastructure overhead
  • Fastest time-to-value — platform ready before the collector is even deployed
  • Full feature access including AI diagnostics, multi-site view, and white-label
  • AVM-360 Azure option includes managed updates, backups, and 99.9% uptime SLA
Ideal for
IntegratorsMSPsSMB Cloud-first organisationsRapid deployment
Architecture — Full Cloud (Two Options)
🖥️
AV Devices (on VLAN)
All brands, all protocols
Local network only
📡
Local Collector (NUC / VM) — Always Required
Translates device data to JSON · Sends status to cloud
Encrypted HTTPS
🏢Option A
Your Cloud
AWS · Azure · GCP
☁️Option B
AVM-360 Azure
Managed · Backed up · 99.9% SLA
🔒 Platform encrypted in transit and at rest · Role-based access enforced
AVM-360 Azure Managed — What's Included
  • • Fully managed Azure hosting — AVM-360 handles infrastructure
  • • Automatic updates and security patches
  • • Daily backups with point-in-time recovery
  • • 99.9% platform uptime SLA
  • • Data residency options available on request
Quick Comparison
Feature Full On-Premise Hybrid Full Cloud
Data leaves your networkNeverStatus onlyStatus + config
Local collector requiredYesYesYes
Cloud dashboardRead-onlyFull access
Who hosts the platformYou (on-prem)MixedYou or AVM-360
Best for regulated industries✓✓✓✓✓
Security Architecture

Security Isn't an Add-On — It's the Foundation

Every layer of AVM-360 is built with security as the default state. These are not optional features — they apply across all deployment models.

🔐

Least-Privilege Access

The platform operates on a strict least-privilege model. Every user, service, and process has only the minimum access required for its function — nothing more.

🔒

Encrypted Communication

All data in transit is encrypted. Between the local collector and cloud, between users and the dashboard, and between the platform and external ITSM integrations.

👥

Role-Based Access Control

Granular RBAC across all users. Technicians, administrators, facility managers, and read-only client users each see only what their role requires.

📡

Local Collector Architecture

The local collector is the only component that talks directly to AV devices. It translates complex multi-vendor data to simple status packets — never exposing raw device traffic externally.

🗂️

Secure Document Storage

Room schematics, wiring diagrams, and device credentials stored in AVM-360 are protected with role-based access and optional password protection per document.

🔍

Audit Trail & Logging

All user actions, device state changes, and remote commands are logged. Full audit trail available for compliance, security reviews, and incident investigation.

Why a Local Collector?

Why AV Monitoring Always Needs Something On Your Network

AV devices — projectors, DSPs, codecs, cameras — communicate using proprietary protocols (Telnet, SSH, REST, SNMP, serial) that only work inside the local network they're installed on. There is no way to monitor them directly from the cloud.

The local collector (a Windows VM or NUC running on the same VLAN as your AV devices) bridges this gap. It speaks the languages of your devices, collects their status, and translates it into standardised data. This is true for all three deployment models — only what happens to that data next changes.

  • One collector required per unique AV VLAN
  • Collector communicates with devices using their native protocols — nothing changes for the devices themselves
  • Credentials for AV devices are stored locally on the collector — never in the cloud
  • Windows 10/11 VM or NUC with 8GB RAM and 100GB disk is all that's needed
  • AVM-360 deploys and configures the collector remotely via TeamViewer or equivalent
Full Deployment Guide →
How the Collector Works
📺
Display
Philips/Samsung
+
🎙️
DSP
Biamp/QSC
+
🎥
Codec
Cisco/Poly
↓ Telnet · SSH · REST · SNMP · Serial (local VLAN only)
📡
Local Collector
Windows VM / NUC · On your VLAN
Translates → JSON status packets
Model 1: stays here
🏢 On-Prem
Local dashboard
🔀 Hybrid
Status → cloud
☁️ Cloud
Full cloud platform
🔒 Device credentials never transmitted · Encrypted in all cloud models
Security Questions

Answers to the Questions Your Security Team Will Ask

Can we run this with zero data leaving our network?

Yes — with the Full On-Premise deployment, the entire platform runs inside your network. The dashboard is accessed internally, and no data of any kind is transmitted externally. This model is designed specifically for air-gapped or highly regulated environments.

What exactly is transmitted to the cloud in the Hybrid model?

Only sanitised status summaries — device online/offline state, error codes, and uptime metrics. Raw device traffic, network topology, IP addresses, credentials, and configuration data all remain on-premise. The collector translates device data to simple JSON status packets before any transmission.

Do you store device credentials?

Device credentials (usernames, passwords, API keys) are stored on the local collector only — which runs inside your network. They are never transmitted to or stored in the cloud under any deployment model.

Which cloud does AVM-360 use for its managed option?

AVM-360's managed cloud option runs on Microsoft Azure. Data residency options are available on request. All data is encrypted at rest and in transit, with daily backups and a 99.9% uptime SLA.

Can we deploy on our own Azure, AWS, or GCP?

Yes — this is the Full Cloud Option A. We deploy the AVM-360 platform on your own cloud infrastructure, giving you full control of the hosting environment while AVM-360 manages the application layer.

What access does AVM-360 need to our environment?

For deployment and ongoing support, we require remote access to the local collector via TeamViewer or equivalent. This is scoped to the collector only — we do not require access to your broader network, Active Directory, or other infrastructure.

Talk to Us About Your Requirements

Not Sure Which Model Fits Your Security Posture?

Our team works with your IT and security stakeholders to recommend the right deployment model for your environment — no one-size-fits-all approach.

Talk to Our Team → Read Deployment Guide